IETF
oauth@jabber.ietf.org
Wednesday, July 20, 2016< ^ >
oej has set the subject to: OAuth WG https://datatracker.ietf.org/wg/oauth/documents/
Room Configuration
Room Occupants

GMT+0
[01:19:52] SamWhited leaves the room
[02:10:44] SamWhited leaves the room
[02:10:54] SamWhited joins the room
[05:25:55] SamWhited leaves the room
[05:26:03] SamWhited joins the room
[08:13:24] sarahsquire joins the room
[10:31:11] sarahsquire leaves the room
[13:29:55] SamWhited joins the room
[13:45:11] Justin Richer joins the room
[13:46:00] Meetecho joins the room
[13:46:04] Phil Hunt joins the room
[13:48:32] derek joins the room
[13:48:33] Derek Atkins joins the room
[13:48:38] yuki goto joins the room
[13:49:35] <derek> Yay... Timezone timeshift means an accessible meeting time!
[13:50:10] <Justin Richer> @derek: sadly, that doesn't translate to COSE tomorrow morning
[13:50:19] <derek> Justin Richer: I know.  :(
[13:50:29] <derek> and barely translates to SAAG.
[13:51:01] <Justin Richer> true. Unsure if I'm going to make saag or need to nap :-P
[13:56:11] <Phil Hunt> hi back
[13:56:48] Thomas Gallagher joins the room
[13:57:54] sarahsquire joins the room
[14:00:05] Joe Canadas joins the room
[14:02:59] <Phil Hunt> Mic: Regarding the signed discovery, is this not a new use case?  Discovery via a third-party?
[14:03:46] <Phil Hunt> Is someone monitoring jabber?
[14:04:36] lmp qaz joins the room
[14:05:49] yuki goto leaves the room
[14:06:15] <sarahsquire> we are now :)
[14:06:19] Darshak Thakore joins the room
[14:06:33] <derek> Thank you, Sarah
[14:08:38] Simon Pietro Romano joins the room
[14:08:49] wseltzer@jabber.org joins the room
[14:12:15] <Phil Hunt> In the audio queue
[14:24:55] <Justin Richer> mic: This binding doesn't work with native clients, does it? Or how does it work with web clients even?
[14:26:33] <Justin Richer> ok, thanks -- that was my understanding
[14:28:14] Darshak Thakore leaves the room
[14:28:23] <Justin Richer> IMHO that's a valid argument for OAuth 2.1 and requiring exact matching...
[14:33:36] wseltzer@jabber.org leaves the room
[14:35:05] wseltzer joins the room
[14:42:06] wseltzer leaves the room
[14:42:54] Thomas Gallagher leaves the room
[14:44:37] <Justin Richer> mic: +1 to this line of thinking. BCP now, collect things into OAuth 3 or whatever in the future.
[14:47:11] <Justin Richer> mic: Noting that BCP can be updated.
[14:51:34] <Justin Richer> thanks
[14:52:09] <sarahsquire> John said “I didn’t say OAuth 3, but I did imply it”
[14:52:20] <sarahsquire> Tony is asking if our AD has any recommendations
[14:52:26] <sarahsquire> Kathleen says “it’s complicated”
[14:52:35] <Justin Richer> The chat is asking that people use the mic for conversations
[14:52:48] <sarahsquire> We’re just discussing when Kathleen has to leave
[14:52:54] <Justin Richer> ah
[14:53:01] <Justin Richer> I could hear Mike laughing but that's about it
[14:53:17] <sarahsquire> Kathleen: OAuth has scared me for a long time. John: That’s only because you understand what’s going on!
[14:59:32] <Justin Richer> A diagram that can help this: https://www.dropbox.com/s/z6be94x7i0r23w8/Screenshot%202016-07-20%2010.58.15.png?dl=0
[15:02:06] <sarahsquire> Leif: Yeah? What do you want?
[15:04:03] Joe Canadas leaves the room
[15:08:24] <Justin Richer> mic: Tony, yes, that's the point of having a general functional mechanism. I'm glad to see you're on board now.
[15:09:00] <sarahsquire> do you really want that said? or are you just being snarky?
[15:09:22] <Justin Richer> I do want that said
[15:09:28] <Justin Richer> the point is it's not a special case
[15:09:37] <Justin Richer> it's a token presented by a third party
[15:10:37] <sarahsquire> It was noted that it helps to not be in the room when you say things like that.
[15:10:51] <Justin Richer> BS, I'd say that in the room too and they all know it. :)
[15:11:15] <sarahsquire> Tony laughed fwiw
[15:11:26] <derek> Yeah, Justin would definitely have said that in person, too
[15:11:40] <Justin Richer> Thank you, Derek.
[15:11:58] <Phil Hunt> Mic:  does binding to clients make sense?  AFAIK token bindings do not live indefinitely. They can break for many reasons.
[15:12:12] <sarahsquire> Hannes is cutting off discussion
[15:12:25] <Justin Richer> Phil, I think it's per-client-per-transaction
[15:12:53] <Phil Hunt> ok...will have to await more details.
[15:12:55] <Justin Richer> so lifetime of the token
[15:13:16] <Justin Richer> yeah, my understanding isn't as deep as it could be so I'm not positive
[15:14:06] <Phil Hunt> I remember Dirk saying that certain network changes will break a binding. It works well in SSO (where re-authen is possible). But it might prove unstable for some oauth token scenarios.
[15:14:28] SamWhited leaves the room
[15:14:34] <Phil Hunt> IOW - forces numerous re-authorizations.
[15:14:34] SamWhited leaves the room
[15:15:18] <Justin Richer> that's for the browser binding, IIRC
[15:15:24] <Justin Richer> which is what's in TB right now.
[15:15:52] <Phil Hunt> Right. But some of the underlying TLS things change as a mobile app moves from corporate network to mobile networks, etc.
[15:16:04] <Phil Hunt> Dirk said that means the client has to be re-bound.
[15:16:39] <Justin Richer> *hand*
[15:16:45] <Justin Richer> Sarah, put up two hands I guess?
[15:16:47] <Justin Richer> :)
[15:17:11] lmp qaz_9676 joins the room
[15:17:59] lmp qaz leaves the room
[15:21:34] Simon Pietro Romano leaves the room
[15:22:09] <Phil Hunt> :)
[15:22:36] <Justin Richer> mic: 1) Shut up, John. 2) Message level signatures are a necessary thing, and yes it's a mess.
[15:23:28] <Justin Richer> mic: We could alternatively publish HTTP signing as-is.
[15:23:56] <sarahsquire> John says “I’ve been told to shut up, so...”
[15:24:06] <Justin Richer> That's fair, John
[15:24:12] <Phil Hunt> mic: We may need to go to content specific signing. E.g. Signed HTTP JSON requests/responses
[15:25:06] <Phil Hunt> The spec would profile HTTP and describe JSON body as well as header restrictions
[15:25:46] <Justin Richer> Phil: It's a restricted subset already so that makes sense.
[15:25:54] <Justin Richer> *hand*
[15:26:00] <derek> *hand*
[15:26:01] <derek> (I know I dont count)
[15:26:02] <Phil Hunt> (Y)
[15:26:08] <sarahsquire> no hands in the room
[15:26:58] <Justin Richer> or PoP architecture or anything else
[15:27:14] <Phil Hunt> Mic:  the problem is that without signing, a lot of the PoP stuff has limited value. Wouldn't that only leave us with TOKBIND for PoP?
[15:27:46] <Phil Hunt> (sorry s/PoP stuff/current PoP drafts/
[15:28:09] <Justin Richer> mic: and I've always thought there'd be different presentation mechanisms. HTTP Signing would be one.
[15:28:28] <Phil Hunt> agreed
[15:28:47] <Justin Richer> there's a fundamental split in OAuth2 between "how to get a token" and "how to use a token"
[15:28:59] Meetecho leaves the room
[15:29:35] <Phil Hunt> "hand" for hold
[15:30:29] lmp qaz_9676 leaves the room
[15:30:40] <Justin Richer> *hand*
[15:31:21] <sarahsquire> brian says let ace profile oath
[15:32:44] <Phil Hunt> I need a beer.
[15:33:10] Phil Hunt leaves the room
[15:33:13] <Justin Richer> heading to a pub now myself
[15:33:13] sarahsquire leaves the room
[15:33:25] <derek> Wow, that was a sudden ending.
[15:33:26] Justin Richer leaves the room
[15:34:25] Derek Atkins leaves the room
[15:35:54] derek leaves the room
[16:00:11] Joe Canadas joins the room
[16:04:22] Joe Canadas leaves the room
[20:11:19] SamWhited joins the room
[21:16:46] SamWhited leaves the room
[21:16:50] SamWhited joins the room
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!